Back

What the Information Regulator Expects From Your Business

Advisory

What South African SMEs Need to Know About PAIA, POPIA and the Information Regulator

Many South African business owners have heard of POPIA, but far fewer understand PAIA, the role of the Information Regulator, or what an “Information Officer” actually does. The good news is that for most SMEs, compliance is far less complicated than it sounds.

Here’s a simple breakdown of what you need to know.

Who is the Information Regulator?

The Information Regulator is the government body responsible for and enforcing both:

  • POPIA (Protection of Personal Information Act)
  • PAIA (Promotion of Access to Information Act)

In simple terms

  • POPIA     deals with how businesses collect, store and protect personal information.
  • PAIA     deals with how businesses give people access to information or records when legally requested.  

The Regulator manages

  • Information Officer registrations
  • PAIA annual submissions
  • Investigations and enforcement
  • General compliance monitoring

What is an Information Officer?

Every business in South Africa must have an Information Officer.

For most SMEs, this is automatically:

  • the owner,
  • director,
  • member,
  • or CEO of the business.

The Information Officer is responsible for:

  • making sure the business complies with POPIA and PAIA,
  • handling requests for information,
  • and communicating with the Information Regulator.  

Do you need to register the Information Officer?

Yes.

The Information Officer must be registered on the Information Regulator’s eServices portal before you can submit annual PAIA reports.  

Registration is done online and is free.

Thornberry helps all its clients to register the Information Officer.

 

What is the annual PAIA submission?

Each year, businesses are expected to submit a PAIA Annual Report to the Information Regulator.

This report tells the Regulator:

  • how many PAIA requests your business received,
  • whether those requests were approved or declined,
  • and how they were handled.  

Important dates

The submission window usually: 1 April to 30 June each year. 

What if your business received zero PAIA requests?

For most SMEs, the answer is simple:

  • you still submit the report,
  • but all the fields will usually be zero.  

In many cases, the process takes less than 30 minutes once your Information Officer is properly registered.

Thornberry files the annual PAIA report for its clients.

What is a PAIA Manual?

A PAIA Manual is a document that explains:

  • what records your business holds,
  • how someone can request access to those records,
  • and who they must contact.

Think of it as:

“The guide explaining how people can request information from your business.”

Private companies are generally required to have a PAIA Manual under Section 51 of PAIA.  

 

What should a basic PAIA Manual include?

For most SMEs, a standard PAIA Manual usually contains:

  • Business details
  • Information Officer details
  • Contact information
  • Description of records held
  • POPIA processing information
  • Procedure for requesting records
  • Request forms and fees (where applicable)

 

Can you use a template PAIA Manual?

Yes — and for many SMEs, a template is perfectly acceptable.

A template usually works well when:

  • your business is relatively small,
  • you have simple operations,
  • you do not process large amounts of sensitive personal information,
  • and you do not operate in highly regulated industries.

Many SMEs use professionally prepared standard templates as a practical and cost-effective starting point.

 

When should you get a customised PAIA Manual?

A customised PAIA Manual is usually recommended when:

  • your business handles large amounts of customer data,
  • you operate in healthcare, finance, legal, recruitment, education or tech,
  • you have multiple branches or complex systems,
  • you share data internationally,
  • or you want stronger legal protection and reduced compliance risk.

A customised manual can also help ensure your PAIA and POPIA processes actually reflect how your business operates in practice — which becomes important during complaints, investigations or audits.

Thornberry can help you with compiling your PAIA manual.

What happens if you ignore PAIA and POPIA requirements?

The Information Regulator has increased its compliance enforcement in recent years.

Potential consequences can include:

  • investigations,
  • enforcement notices,
  • reputational damage,
  • and in serious cases, significant penalties.  

For most SMEs, however, compliance is mainly about:

  1. Registering the Information Officer,
  2. Having a PAIA Manual,
  3. Submitting the annual PAIA report,
  4. And following basic POPIA practices.

 

Final thoughts

For most South African SMEs, PAIA and POPIA compliance does not need to be overwhelming.

A simple, practical compliance setup is often enough

  • register your Information Officer,
  • maintain an appropriate PAIA Manual,
  • and make sure your annual submissions are done on time.

Where businesses become more complex, a more customised compliance approach becomes worthwhile.

If you are unsure whether your current setup is compliant, it is often far cheaper to address it proactively than to deal with issues after the Information Regulator becomes involved.

Talk to us at Thornberry, to ensure you are on the right track.

Johan Potgieter

Read Other Blogs

Taxation

“But My Company Pays My Taxes…” — Not Quite.

Your employer deducts tax—but doesn’t know everything. Missing info could mean refunds lost or costly SARS penalties.

Johan Potgieter
Read More
Taxation

The R2.3m VAT Threshold: Opportunity for Small Businesses — With a Catch

South Africa raises the VAT registration threshold to R2.3 million from April 2026, but businesses considering deregistration should first understand the potential exit tax consequences.

Beau-Mari Olivier
Read More
Fintech

Which Xero Plan Is Right for Your Business?

A simple, no-jargon guide for South African business owners in choosing the correct Xero plan

Johan Potgieter
Read More
CIPC

Understanding the PIS Score (Public Interest Score)

In South Africa, the Public Interest Score (PIS) is a simple but important measure used to decide what level of financial reporting and assurance a company is required to have. In short, the higher your PIS score, the more formal and independent your financial reporting must be.

Johan Potgieter
Read More
Taxation

What Is a SARS Registered Representative (RR)?

Who Really Answers to SARS? Behind every company’s tax number is a real person SARS holds accountable. A SARS Registered Representative (RR) isn’t just a tick-box appointment — it’s the individual legally responsible for ensuring a business’s tax affairs are accurate, compliant, and up to date. Whether you’re a director, trustee, or founder, understanding the RR role is critical to protecting your business, avoiding penalties, and working effectively with your tax practitioner.

Johan Potgieter
Read More
Taxation

VAT: When to Register, What Happens If You Don’t, and How VAT Actually Hits Your Prices

VAT for South African businesses doesn’t hinge on profit—it hinges on your rolling 12-month taxable turnover. This quick guide explains when you must register, the risks of ignoring it, and how VAT actually affects your pricing with vendors and non-vendors.

Johan Potgieter
Read More
Advisory

The Essential Elevator Pitch Deck: Crafting a Concise and Compelling Presentation

Crafting the perfect elevator pitch is as much about what you put into it as what you shouldn't.

by Johan Potgieter
Read More
PAGES
Home
About Us
Services
Insights
Contact Us
CONTACT US
hello@thornberry.co.za
+27 21 013 9066
Johannesburg & Cape Town
Proudly designed, developed and maintained by Ollo.